Optimize self-host Docker image size (#1068)

* Optimize self-host Docker image size

Reduce the self-host runtime image by splitting production deps into a parallel stage, using a distroless cc runtime with a copied Bun binary, moving web-only host dependencies to devDependencies, and copying/pruning only runtime-needed files.

Verification:

DOCKER_BUILDKIT=1 docker build --no-cache --progress=plain -f apps/host-selfhost/Dockerfile -t executor-selfhost-pr:latest .

docker run smoke: /api/health returned OK

Result: image_mb=239.681

* Baseline self-host Docker image size after current Dockerfile optimization

Result: {"status":"keep","image_mb":239.68}

* Simplify self-host Docker runtime packaging

* Bundle self-host server for Docker runtime

* Remove autoresearch log from Docker image PR

* Move self-host runtime packaging into app

* Format self-host package manifest

* Keep self-host app UI packages as dependencies

Author: RhysSullivan

apps/host-selfhost/Dockerfile

@@ -1,36 +1,27 @@
-# Self-hosted Executor — single container, no external services.
-# Build context is the REPO ROOT (the bun workspace install needs every member):
+# Self-hosted Executor, single container, no external services.
+# Build context is the repo root because Bun workspaces need every member:
 #   docker build -f apps/host-selfhost/Dockerfile -t executor-selfhost .
 #
-# Runtime needs nothing but this container + a volume for the data dir:
+# Runtime needs this container plus a volume for the data dir:
 #   docker run -p 4788:4788 -e BETTER_AUTH_SECRET=$(openssl rand -hex 32) \
 #     -e EXECUTOR_BOOTSTRAP_ADMIN_EMAIL=you@example.com \
 #     -e EXECUTOR_BOOTSTRAP_ADMIN_PASSWORD=... \
 #     -e EXECUTOR_WEB_BASE_URL=https://your.domain \
 #     -v executor-data:/data executor-selfhost
-#
-# SQLite (libSQL, file:/data/...) lives in /data, QuickJS + MCP run in-process —
-# so there's no postgres/worker/proxy to orchestrate.
 
-# ── Build stage: install the workspace + build the SPA ──────────────────────
+FROM oven/bun:1 AS prod-deps
+WORKDIR /app
+COPY . .
+RUN bun install --frozen-lockfile --production --ignore-scripts --filter @executor-js/host-selfhost \
+  && bun run apps/host-selfhost/scripts/package-runtime.ts
+
 FROM oven/bun:1 AS build
 WORKDIR /app
 COPY . .
-# Full install (dev deps included — vite/turbo/plugins are needed to build).
 RUN bun install --frozen-lockfile
-# Builds @executor-js/vite-plugin (via turbo) then the self-host SPA into
-# apps/host-selfhost/dist.
 RUN cd apps/host-selfhost && bun run build
-# Reinstall PRODUCTION deps only, so the runtime image excludes the build/dev
-# toolchain pulled by the full workspace install — vite, turbo, wrangler →
-# miniflare → sharp/libvips (~800MB), astro, vitest, etc. The built SPA lives in
-# apps/host-selfhost/dist (outside node_modules), so it survives the reinstall.
-# --ignore-scripts: the root `prepare` hook runs a dev-only tool
-# (effect-language-service); runtime deps are prebuilt JS with no postinstall.
-RUN rm -rf node_modules && bun install --frozen-lockfile --production --ignore-scripts
 
-# ── Runtime stage: serve the built app under Bun ────────────────────────────
-FROM oven/bun:1 AS runtime
+FROM gcr.io/distroless/cc-debian12 AS runtime
 WORKDIR /app
 LABEL org.opencontainers.image.source="https://github.com/RhysSullivan/executor" \
       org.opencontainers.image.description="Single-container self-hosted Executor" \
@@ -39,14 +30,12 @@ ENV NODE_ENV=production \
     EXECUTOR_HOST=0.0.0.0 \
     PORT=4788 \
     EXECUTOR_DATA_DIR=/data
-COPY --from=build /app /app
+COPY --from=prod-deps /usr/local/bin/bun /usr/local/bin/bun
+COPY --from=prod-deps /app/.selfhost-runtime /app
+COPY --from=build /app/apps/host-selfhost/dist /app/apps/host-selfhost/dist
 WORKDIR /app/apps/host-selfhost
-RUN mkdir -p /data
 VOLUME ["/data"]
 EXPOSE 4788
-# Readiness probe against the public /api/health endpoint (a trivial DB ping).
 HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=5 \
   CMD bun -e "fetch('http://127.0.0.1:4788/api/health').then(r=>process.exit(r.ok?0:1),()=>process.exit(1))"
-# serve.ts binds the Effect AppLayer (API + /mcp + /api/auth + /docs) and serves
-# the built SPA from ./dist — one process.
-CMD ["bun", "run", "src/serve.ts"]
+CMD ["bun", "run", "dist-server/serve.js"]

apps/host-selfhost/scripts/package-runtime.ts

@@ -0,0 +1,51 @@
+import { cpSync, existsSync, mkdirSync, rmSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { createRequire } from "node:module";
+
+const root = process.cwd();
+const out = join(root, ".selfhost-runtime");
+const serverOut = join(out, "apps/host-selfhost/dist-server");
+const requireFromSelfHost = createRequire(join(root, "apps/host-selfhost/package.json"));
+
+const externalPackages = [
+  "quickjs-emscripten",
+  "quickjs-emscripten-core",
+  "@jitl/quickjs-ffi-types",
+  "@jitl/quickjs-wasmfile-release-sync",
+  "@jitl/quickjs-wasmfile-debug-sync",
+  "@jitl/quickjs-wasmfile-release-asyncify",
+  "@jitl/quickjs-wasmfile-debug-asyncify",
+  "@libsql/linux-x64-gnu",
+] as const;
+
+const quickJsExternals = externalPackages.filter(
+  (name) => name === "quickjs-emscripten" || name.startsWith("@jitl/"),
+);
+
+const packageDir = (name: string): string => {
+  const packageJson = requireFromSelfHost.resolve(`${name}/package.json`, {
+    paths: [join(root, "node_modules/.bun/node_modules")],
+  });
+  return dirname(packageJson);
+};
+
+const copyPackage = (name: string): void => {
+  const destination = join(out, "node_modules", name);
+  mkdirSync(dirname(destination), { recursive: true });
+  cpSync(packageDir(name), destination, { recursive: true, dereference: true });
+};
+
+rmSync(out, { recursive: true, force: true });
+mkdirSync(serverOut, { recursive: true });
+
+await Bun.$`bun build apps/host-selfhost/src/serve.ts --target=bun --format=esm --outdir=${serverOut} ${quickJsExternals.map((name) => `--external=${name}`)}`;
+
+for (const name of externalPackages) copyPackage(name);
+
+if (!existsSync(join(serverOut, "serve.js"))) {
+  throw new Error(
+    "Expected bundled self-host server at .selfhost-runtime/apps/host-selfhost/dist-server/serve.js",
+  );
+}
+
+console.log(`Packaged self-host runtime into ${out}`);